Overview

overview

10

Static

static

3

winprofile

windows7-x64

10

winprofile

windows10-1703-x64

10

Analysis

  • max time kernel
    327s
  • max time network
    372s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    07-01-2024 22:20

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    50b50beee2174d403ddba91f4f0b13d8e754ed2f979ad7c60baeb6617249bb30.exe

  • Size

    6.4MB

  • MD5

    2eafb4926d78feb0b61d5b995d0fe6ee

  • SHA1

    f6e75678f1dafcb18408452ea948b9ad51b5d83e

  • SHA256

    50b50beee2174d403ddba91f4f0b13d8e754ed2f979ad7c60baeb6617249bb30

  • SHA512

    1885f5874c44a6841be4d53140ad63304e8d1924bb98fe14602d884fbc289ec8913db772a9e2db93e45298d1328700e2000ddab109af3964eaf6f23af61ef78e

  • SSDEEP

    196608:1pznZ/ySos+NnrlQ5jrNoIgDJ0I6x/oAP:1pDZk9LQ5vNdeJ0IC

Score
10/10
xmrigevasionminerpersistence

Malware Config

Signatures

  • xmrig

    XMRig is a high performance, open source, cross platform CPU/GPU miner.

    minerxmrig
  • XMRig Miner payload 20 IoCs
    miner
  • Creates new service(s) 1 TTPs
    persistence
  • Stops running service(s) 3 TTPs
    evasion
  • Checks BIOS information in registry 2 TTPs 4 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Deletes itself 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 1 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • Launches sc.exe 4 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: LoadsDriver 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\50b50beee2174d403ddba91f4f0b13d8e754ed2f979ad7c60baeb6617249bb30.exe
    "C:\Users\Admin\AppData\Local\Temp\50b50beee2174d403ddba91f4f0b13d8e754ed2f979ad7c60baeb6617249bb30.exe"
    1⤵
    • Checks BIOS information in registry
    • Suspicious behavior: EnumeratesProcesses
    PID:2288
    • C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe create "FLWCUERA" binpath= "C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe" start= "auto"
      2⤵
      • Launches sc.exe
      PID:2544
    • C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe delete "FLWCUERA"
      2⤵
      • Launches sc.exe
      PID:1444
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\50b50beee2174d403ddba91f4f0b13d8e754ed2f979ad7c60baeb6617249bb30.exe"
      2⤵
      • Deletes itself
      • Suspicious use of WriteProcessMemory
      PID:2152
      • C:\Windows\system32\choice.exe
        choice /C Y /N /D Y /T 3
        3⤵
          PID:2388
      • C:\Windows\system32\sc.exe
        C:\Windows\system32\sc.exe start "FLWCUERA"
        2⤵
        • Launches sc.exe
        PID:2144
      • C:\Windows\system32\sc.exe
        C:\Windows\system32\sc.exe stop eventlog
        2⤵
        • Launches sc.exe
        PID:2128
    • C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe
      C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe
      1⤵
      • Checks BIOS information in registry
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:2044
      • C:\Windows\system32\conhost.exe
        conhost.exe
        2⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2928
      • C:\Windows\system32\conhost.exe
        C:\Windows\system32\conhost.exe
        2⤵
          PID:1896

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe
        Filesize

        323KB

        MD5

        48a2bbc7566564cfc938e2c405da8944

        SHA1

        8c33bd5fdae18f8d60cb9651139a8d271d612f8e

        SHA256

        b08085641edebc6126cbe638bc185e5fbdf6127aa52c456b33cd7b65a69eb2ea

        SHA512

        4faa2cee5d2b4d8cfd5460a7186f6cfdcd16ac775d0ae99820a086e563a3bb78bae0894261922d2379b4f2c77125881c27c4e41c62a720ba0fd29b03ce8f71f6

        Download Submit

      • C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe
        Filesize

        193KB

        MD5

        79cdcdc0b18c10547c9bb5160ffc8a86

        SHA1

        b029000a42a4501b862e8b74fef6bd04529923c3

        SHA256

        128bc1e28cb6d25e569a022fceaf9ecd6aa94bd5e1cfbbc8b667ab499783f6f5

        SHA512

        46b0d432f11dd90a7c6c9811bb04862476b68447ec749d98cd8b2ae838aa495a98e0d44522250817e15204fa6d5c3893aabb331e0a4e524a2d9bf6deeac8b275

        Download Submit

      • \ProgramData\eyfisgalqlbk\iojmibhyhiws.exe
        Filesize

        961KB

        MD5

        40f27044a74d72d0888628572d0c1d90

        SHA1

        7cff07c3da97c07bcb36e3da2953f0dd77e9072f

        SHA256

        3e246e9de09f54a200882c424559f205f1dc6ab03031973e08c9df35b4cf5a95

        SHA512

        44187abbf2b9f119b8072c2838e9fd4a2dff70eb3ffb371567a2e8550e0d72ec9213cc657ee08ca7d1033b28c4774d5af00434460d5060b33678465283e1f2f8

        Download Submit

      • \ProgramData\eyfisgalqlbk\iojmibhyhiws.exe
        Filesize

        1.1MB

        MD5

        8677f564a90c3fce16f04f115aac94cf

        SHA1

        d8a837dd45f998a2d94349caa11db71503920ba6

        SHA256

        b84b9e7cc4910b6316bc9799cb3663a2856aecfc2caa2d37bd4da40d97a96a73

        SHA512

        afa5587c4e41122b025675f520eda201d5f4198e50b3848f6d0933fed6c71d219fdf3f79cf0ea89a1600086d669eb4a71aded900d3f0cd27e6752d0baccfbcbd

        Download Submit

      • memory/1896-12-0x0000000140000000-0x000000014000D000-memory.dmp

        Filesize

        52KB

        Download

      • memory/1896-17-0x0000000140000000-0x000000014000D000-memory.dmp

        Filesize

        52KB

        Download

      • memory/1896-10-0x0000000140000000-0x000000014000D000-memory.dmp

        Filesize

        52KB

        Download

      • memory/1896-11-0x0000000140000000-0x000000014000D000-memory.dmp

        Filesize

        52KB

        Download

      • memory/1896-13-0x0000000140000000-0x000000014000D000-memory.dmp

        Filesize

        52KB

        Download

      • memory/1896-14-0x0000000140000000-0x000000014000D000-memory.dmp

        Filesize

        52KB

        Download

      • memory/2044-9-0x000000013F9D0000-0x000000014040D000-memory.dmp

        Filesize

        10.2MB

        Download

      • memory/2044-29-0x000000013F9D0000-0x000000014040D000-memory.dmp

        Filesize

        10.2MB

        Download

      • memory/2288-5-0x000000013F5E0000-0x000000014001D000-memory.dmp

        Filesize

        10.2MB

        Download

      • memory/2288-3-0x000000013F5E0000-0x000000014001D000-memory.dmp

        Filesize

        10.2MB

        Download

      • memory/2288-2-0x000000013F5E0000-0x000000014001D000-memory.dmp

        Filesize

        10.2MB

        Download

      • memory/2288-0-0x000000013F5E0000-0x000000014001D000-memory.dmp

        Filesize

        10.2MB

        Download

      • memory/2288-1-0x000000013F5E0000-0x000000014001D000-memory.dmp

        Filesize

        10.2MB

        Download

      • memory/2928-32-0x0000000140000000-0x0000000140840000-memory.dmp

        Filesize

        8.2MB

        Download

      • memory/2928-35-0x0000000140000000-0x0000000140840000-memory.dmp

        Filesize

        8.2MB

        Download

      • memory/2928-25-0x0000000140000000-0x0000000140840000-memory.dmp

        Filesize

        8.2MB

        Download

      • memory/2928-30-0x0000000140000000-0x0000000140840000-memory.dmp

        Filesize

        8.2MB

        Download

      • memory/2928-27-0x0000000140000000-0x0000000140840000-memory.dmp

        Filesize

        8.2MB

        Download

      • memory/2928-26-0x0000000140000000-0x0000000140840000-memory.dmp

        Filesize

        8.2MB

        Download

      • memory/2928-24-0x0000000140000000-0x0000000140840000-memory.dmp

        Filesize

        8.2MB

        Download

      • memory/2928-23-0x0000000140000000-0x0000000140840000-memory.dmp

        Filesize

        8.2MB

        Download

      • memory/2928-33-0x0000000140000000-0x0000000140840000-memory.dmp

        Filesize

        8.2MB

        Download

      • memory/2928-22-0x0000000140000000-0x0000000140840000-memory.dmp

        Filesize

        8.2MB

        Download

      • memory/2928-21-0x0000000140000000-0x0000000140840000-memory.dmp

        Filesize

        8.2MB

        Download

      • memory/2928-20-0x0000000140000000-0x0000000140840000-memory.dmp

        Filesize

        8.2MB

        Download

      • memory/2928-34-0x0000000140000000-0x0000000140840000-memory.dmp

        Filesize

        8.2MB

        Download

      • memory/2928-31-0x00000000001F0000-0x0000000000210000-memory.dmp

        Filesize

        128KB

        Download

      • memory/2928-18-0x0000000140000000-0x0000000140840000-memory.dmp

        Filesize

        8.2MB

        Download

      • memory/2928-36-0x0000000140000000-0x0000000140840000-memory.dmp

        Filesize

        8.2MB

        Download

      • memory/2928-38-0x0000000140000000-0x0000000140840000-memory.dmp

        Filesize

        8.2MB

        Download

      • memory/2928-39-0x0000000000AD0000-0x0000000000AF0000-memory.dmp

        Filesize

        128KB

        Download

      • memory/2928-37-0x0000000140000000-0x0000000140840000-memory.dmp

        Filesize

        8.2MB

        Download

      • memory/2928-40-0x0000000000AD0000-0x0000000000AF0000-memory.dmp

        Filesize

        128KB

        Download

      • memory/2928-41-0x0000000140000000-0x0000000140840000-memory.dmp

        Filesize

        8.2MB

        Download

      • memory/2928-42-0x0000000140000000-0x0000000140840000-memory.dmp

        Filesize

        8.2MB

        Download

      • memory/2928-43-0x0000000140000000-0x0000000140840000-memory.dmp

        Filesize

        8.2MB

        Download

      • memory/2928-44-0x0000000140000000-0x0000000140840000-memory.dmp

        Filesize

        8.2MB

        Download

      • memory/2928-45-0x0000000000AD0000-0x0000000000AF0000-memory.dmp

        Filesize

        128KB

        Download

      • memory/2928-46-0x0000000000B80000-0x0000000000BA0000-memory.dmp

        Filesize

        128KB

        Download

      • memory/2928-47-0x0000000000AD0000-0x0000000000AF0000-memory.dmp

        Filesize

        128KB

        Download

      • memory/2928-48-0x0000000000B80000-0x0000000000BA0000-memory.dmp

        Filesize

        128KB

        Download